US10298553B2 - Hardware trusted data communications over system-on-chip (SOC) architectures - Google Patents
Hardware trusted data communications over system-on-chip (SOC) architectures Download PDFInfo
- Publication number
- US10298553B2 US10298553B2 US15/475,212 US201715475212A US10298553B2 US 10298553 B2 US10298553 B2 US 10298553B2 US 201715475212 A US201715475212 A US 201715475212A US 10298553 B2 US10298553 B2 US 10298553B2
- Authority
- US
- United States
- Prior art keywords
- data application
- hardware trust
- soc
- transceiver
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2103—Challenge-response
Definitions
- CPUs Central Processing Units
- RAM Random Access Memory
- I/O Input/Output
- bus interfaces bus interfaces
- user interfaces The CPUs retrieve software from their own internal storage, the RAM, and the persistent data storage.
- the CPUs execute the software to drive the I/O transceivers and user the interfaces.
- a CPU may retrieve and execute a crypto software application that encrypts and decrypts user data.
- SOC System-On-Chip
- the typical SOC has CPU cores, RAM, data storage, I/O transceivers, and bus interfaces.
- SOCs may include additional components like Graphics Processing Units (GPUs), Direct Memory Access (DMA) controllers, and the like.
- GPUs Graphics Processing Units
- DMA Direct Memory Access
- Encryption protects data communications by mathematically and logically hashing data with a secret key to generate a hash result.
- a public key may be used to decrypt this hash result and recover the original data.
- the entities share secret keys that are used to encrypt and decrypt the data.
- Hardware-based encryption embeds most of this crypto processing in hardware circuitry.
- the circuitry comprises hardware like data registers, logic gates, multiplexers, clocks, and the like.
- the hardware circuitry can generate random numbers and secret keys, receive and transfer numbers and keys, and use the keys to encrypt and decrypt data.
- SOC I/O transceivers use hardware-based encryption to communicate over Local Area Networks (LANs) and Wide Area Networks (WANs).
- the SOC I/O transceivers may also use hardware based encryption for internal security with other SOC components.
- Hardware trust entails the physical validation of the computer hardware that is executing computer software.
- the computer hardware like a CPU, has an identity code that is shared secret key.
- a hardware trust server also knows the shared secret key.
- the hardware trust server issues random number challenges to software that is executing on the computer hardware.
- the software that is executing on the hardware hashes the random number with the shared secret key to return a hardware trust result to the hardware trust server.
- the hardware trust server hashes the same random number with the shared secret key to generate the same hardware trust result. If the hardware trust results match, then the software application has hardware trust. The process can be repeated to refresh the hardware trust for the software application.
- the hardware trust server may also digitally sign and issue hardware trust certificates to the software application as it achieves and maintains hardware trust.
- the software application may then share its hardware trust digital certificates with other entities to demonstrate hardware trust by the hardware trust server.
- the other entities may use a public key for the hardware trust server to decrypt and validate the hardware trust digital certificates for the software application.
- a System-On-Chip exchanges hardware trusted data communications.
- a Central Processing Unit (CPU) executes an internal data application.
- An I/O transceiver receives a data message from an external data application for the internal data application. The message has encrypted user data and an encrypted hardware trust certificate for the external data application.
- the transceiver decrypts the hardware trust certificate for the external data application and transfers the decrypted hardware trust certificate to a SOC kernel.
- the SOC kernel validates the decrypted hardware trust certificate for the external data application and notifies the I/O transceiver.
- the I/O transceiver decrypts the user data.
- the I/O transceiver transfers the decrypted user data to the CPU for delivery to the internal data application in response to the notification form the SOC kernel.
- FIG. 1 illustrates a data communication System-On-Chip (SOC) to exchange hardware trusted data communications.
- SOC System-On-Chip
- FIG. 2 illustrates an I/O transceiver in the SOC to receive hardware trusted data communications.
- FIG. 3 illustrates another version of the SOC to receive hardware trusted data communications.
- FIG. 4 illustrates an I/O transceiver in the SOC to transfer hardware trusted data communications.
- FIG. 5 illustrates another version of the SOC to transfer hardware trusted data communications.
- FIG. 6 illustrates the operation of the data communication SOC to exchange hardware trusted data communications.
- FIG. 7 illustrates a Network Function Virtualization (NFV) SOC to exchange hardware trusted data communications.
- NFV Network Function Virtualization
- FIG. 8 illustrates an NFV data communication system to exchange hardware trusted data communications.
- FIG. 9 illustrates the operation of the NFV data communication system to exchange hardware trusted data communications.
- FIG. 10 illustrates a data communication SOC to exchange hardware trusted data communications.
- FIG. 1 illustrates System-On-Chip (SOC) 100 to exchange hardware trusted data communications.
- SOC 100 comprises Central Processing Unit (CPU) cores 101 - 103 , Input/Output (I/O) transceivers (XCVRs) 111 - 113 , data bus 120 , and data memories 121 - 126 .
- CPU core 101 executes data application # 1 (APP # 1 ).
- CPU core 102 executes data application # 2 (APP # 2 ).
- CPU core 103 executes a SOC kernel.
- SOC 100 has a secret, physically-embedded, read-only hardware trust (HW) key. Although shown coupled to data bus 120 for clarity, the hardware trust key may be embedded elsewhere in SOC 100 , such as CPU core 103 or data memory 126 . Hardware trust server 150 also stores the hardware key. SOC 160 is configured in a similar manner to SOC 100 and executes data application # 3 (APP # 3 ). SOC 160 has its own secret, physically-embedded, read-only hardware trust key that is also known to hardware trust server 150 .
- HW hardware trust
- CPU cores 101 - 103 comprise micro-processing circuitry like logic units, control units, I/O lines, and data registers.
- the SOC kernel comprises hardware drivers, memory controllers, timers, interrupt interfaces, interrupt controllers, schedulers, boot-up instructions, and the like.
- APPs # 1 - 3 comprise data communication software with a few examples being servers, databases, and social networks.
- the APPs and the SOC kernel are stored in data memories 121 - 126 and are loaded into CPU cores 101 - 103 for execution.
- I/O transceivers 111 - 113 comprise communication ports, encryption/decryption circuitry, control circuitry, memory, signal processing circuitry, and software.
- I/O transceivers 111 - 113 may use protocols like Institute of Electrical and Electronics Engineers (IEEE) 802.3, Universal Serial Bus, IEEE 802.11, Personal Area Network (PAN), Universal Synchronous/Asynchronous Receiver/Transmitter (USART), Wave Division Multiplexing (WDM), Long Term Evolution (LTE), Integrated Circuit Card (ICC), and the like.
- the encryption/decryption circuitry performs hardware-based encryption and decryption. To handle the crypto tasks, the encryption/decryption circuitry in I/O transceivers 111 - 113 generates and shares encryption keys with the encryption/decryption circuitry in other I/O transceivers.
- Data bus 120 comprises metallic and/or optical data links along with integrated control circuitry and software.
- Data memories 121 - 126 comprise Random Access Memory (RAM), flash memory, or some other data storage device.
- RAM Random Access Memory
- Hardware trust server 150 comprises a computer system to establish and maintain hardware trust for APPs # 1 - 3 .
- Hardware trust server 150 maintains networking data that associates APPs # 1 - 3 with their current executing SOCs. For example, a network controller may periodically transfer network data to server 150 that indicates the current network software execution environment for multiple SOCs.
- Hardware trust server 150 may distribute networking data to the SOC kernel and to other SOC kernels that associates APPs 1 - 3 with their current MAC IDs and/or VPN IDs.
- Hardware trust server 150 may also distribute crypto keys to the SOC kernels for use in encrypting and decrypting the hardware trust certificates, MAC IDs, and VPN IDs.
- hardware trust server 150 distributes crypto keys to the SOC kernels to decode and validate the hardware trust server's digital signature.
- hardware trust server 150 issues a random number challenge to APP # 1 over I/O transceiver 111 and CPU core 101 .
- APP # 1 drives CPU core 101 to request hardware trust data from the SOC kernel based on the random number challenge.
- CPU core 103 reads the hardware trust key and hashes the random number challenge with the hardware trust key to generate a hardware trust result.
- the SOC kernel transfers the hardware trust result to APP # 1
- APP # 1 transfers the hardware trust result to hardware trust server 150 .
- hardware trust server 150 Based on its current networking environment data, hardware trust server 150 generates its own hardware trust result with the same random number and hardware trust key for SOC 100 . Hardware trust server 150 matches the hardware trust result from APP # 1 with its own result to validate hardware trust of APP # 1 in SOC 100 . In response to hardware trust validation, hardware trust server 150 issues a hardware trust certificate to APP # 1 that is time-stamped and digitally signed by hardware trust server 150 .
- Hardware trust server 150 and APP # 1 will repeat this process to refresh hardware trust and maintain fresh hardware trust certificates for APP # 1 on its current SOC.
- APP # 1 may report its current Media Access Control Identifier (MAC ID) and/or Virtual Private Network Identifier (VPN ID) to hardware trust server 150 for distribution to SOC 100 and other SOCs.
- Hardware trust server 150 and APPs # 2 - 3 perform a similar process to maintain valid hardware trust certificates for APPs # 2 - 3 on their current SOCs.
- APP # 3 sends a hardware trusted data message to APP # 1 in SOC 100 .
- the hardware trusted data message has a message header, encrypted user data, and an encrypted hardware trust certificate.
- the hardware trust certificate is for APP # 3 .
- I/O transceiver 112 receives the data message. Based on header data or some other trigger, I/O transceiver 112 breaks out the encrypted hardware trust certificate for APP # 3 from the encrypted user message based on data location, pointer, or marker. I/O transceiver 112 decrypts the hardware trust certificate for APP # 3 and transfers the decrypted hardware trust certificate to the SOC kernel in CPU core 103 .
- the SOC kernel drives CPU core 103 to use a known digital signature key for hardware trust server 150 to decode and validate the hardware trust certificate for APP # 3 .
- the SOC kernel drives CPU core 103 to transfer an instruction to I/O transceiver 112 to transfer decrypted user data to APP # 1 in CPU core 101 .
- I/O transceiver 112 decrypts the encrypted user data and transfers the decrypted user data to CPU core 101 .
- CPU core 101 delivers the decrypted user data to APP # 1 .
- APP # 3 may also encrypt and insert its MAC ID and/or VPN ID into the data message.
- I/O transceiver 112 receives the data message and breaks out the encrypted MAC ID and/or VPN ID for APP # 3 along with the hardware trust certificate.
- I/O transceiver 112 transfers the decrypted MAC ID and/or VPN ID for APP # 3 along with the hardware trust certificate to the SOC kernel in CPU core 103 .
- the SOC kernel drives CPU core 103 to validate the MAC ID and/or VPN ID for APP # 3 using networking data from hardware trust server 150 .
- the SOC kernel drives CPU core 103 to transfer the instruction to I/O transceiver 112 to transfer the decrypted user data to CPU core 101 .
- APP # 3 may also encrypt and insert the hardware trust certificate for APP # 1 into the data message.
- I/O transceiver 112 receives the data message and breaks out the encrypted hardware trust certificate for APP # 1 along with the certificate for APP # 3 .
- I/O transceiver 112 transfers the decrypted hardware trust certificate for APP # 1 along with the certificate for APP # 3 to the SOC kernel in CPU core 103 .
- the SOC kernel drives CPU core 103 to validate the hardware trust certificate for APP # 1 .
- the SOC kernel drives CPU core 103 to transfer the instruction to I/O transceiver 112 to transfer the decrypted user data to CPU core 101 .
- APP # 1 in SOC 100 sends a hardware trusted data message to APP # 3 in SOC 160 .
- the hardware trusted data message has a header, encrypted user data, and an encrypted hardware trust certificate for APP # 1 .
- APP # 1 transfers its hardware trust certificate in a data transfer request through CPU core 101 to the SOC kernel in CPU core 103 .
- Hardware trust validation may be omitted in transmitting SOC 100 and applied at receiving SOC 160 .
- transmitting SOC 100 performs hardware trust validation, so the SOC kernel drives CPU core 103 to use a known key for hardware trust server 150 to validate the hardware trust certificate for APP # 1 .
- the SOC kernel drives CPU core 103 to transfer instructions to CPU core 101 and I/O transceiver 112 to transfer user data from APP # 1 in a hardware trusted data message to APP # 3 in SOC 160 .
- the instructions direct I/O transceiver 112 to encrypt the hardware trust certificate for APP # 1 , encrypt the user data, and indicate encrypted hardware trust in the data message header.
- CPU core 101 transfers the user data to I/O transceiver 112 .
- I/O transceiver 112 encrypts the user data and the hardware trust certificate for APP # 1 .
- I/O transceiver 112 transfers a hardware trusted data message to APP # 3 in SOC 160 .
- the data message transports the encrypted user data and the encrypted hardware trust certificate for APP # 1 .
- APP # 1 may also insert its MAC ID and/or VPN ID into the data message.
- CPU core 101 transfers the MAC ID and/or VPN ID to the SOC kernel along with its hardware trust certificate.
- the SOC kernel may drive CPU core 103 to validate the MAC ID and/or VPN ID for APP # 1 using networking data from hardware trust server 150 .
- the SOC kernel drives CPU core 103 to transfer instructions to CPU core 101 and I/O transceiver 112 to transfer the user data in the data message to APP # 3 .
- the instructions direct I/O transceiver 112 to encrypt the MAC ID and/or VPN ID for APP # 1 .
- APP # 1 may also insert the hardware trust certificate for APP # 3 into the data message.
- CPU core 101 transfers the hardware trust certificate for APP # 3 to the SOC kernel along with its hardware trust certificate.
- the SOC kernel may drive CPU core 103 to validate the hardware trust certificate for APP # 3 using the known key for hardware trust server 150 .
- the SOC kernel drives CPU core 103 to transfer instructions to CPU core 101 and I/O transceiver 112 to transfer the user data in the data message to APP # 3 .
- the instructions to I/O transceiver 112 direct the encryption of the hardware trust certificate for APP # 3 .
- the use of hardware trusted communications may be selective and independent of user data encryption.
- the data message may have a header flag, network address, network port, or some other networking marker that directs the transceiver to perform the hardware trust break-out and validation through the SOC kernel.
- This selective use of hardware trusted communications may be implemented for special commands between data applications like server control operations, Software Defined Network (SDN) signaling, Wake-on-LAN (WoL) commands, wireless keyboard controllers, and the like.
- SDN Software Defined Network
- WiL Wake-on-LAN
- FIG. 2 illustrates I/O transceiver 112 in SOC 100 to receive hardware trusted data communications.
- I/O transceiver 112 transfers the block of encrypted data from the hardware trusted data message into a set of data storage registers.
- the data storage registers transfer the encrypted data block to a data switch.
- the data switch Based on the preconfigured size and location of the encrypted hardware trust certificate relative to the encrypted user data, the data switch transfers the encrypted hardware trust certificate to hardware trust decryption circuitry.
- the hardware trust decryption circuitry decrypts the hardware trust certificate and transfers the decrypted hardware trust certificate for APP # 3 to the SOC kernel in CPU core 103 .
- the SOC kernel uses the key for hardware trust server 150 to validate the hardware trust certificate for APP # 3 —typically by decrypting the hardware trust server's digital signature with its known key and then matching the decrypted data to expected data.
- the SOC kernel in CPU core 103 transfers an instruction to the user data decryption circuitry to transfer decrypted user data to CPU core 101 .
- the user data decryption circuitry decrypts the encrypted user data and transfers the decrypted user data to CPU core 101 .
- CPU core 101 delivers the decrypted user data to APP # 1 . Additional data for APP # 3 like MAC ID and VPN ID may be added to the hardware trusted data message and validated by SOC 100 .
- FIG. 3 illustrates another version of SOC 100 to receive hardware trusted data communications.
- the SOC kernel decrypts the hardware trust certificate.
- the SOC kernels in SOC 100 and 160 establish and share hardware trust data encryption keys.
- the decryption circuitry transfers the encrypted hardware trust certificate for APP # 3 to the SOC kernel in CPU core 103 .
- the SOC kernel in CPU core 103 retrieves hardware trust decryption data from its hardware trust database in data memory 126 .
- the SOC kernel in CPU core 103 decrypts the hardware trust certificate with the hardware trust decryption data.
- the SOC kernel then uses the known key for hardware trust server 150 to validate the hardware trust certificate for APP # 3 .
- the SOC kernel in CPU core 103 transfers an instruction to the decryption circuitry to decrypt and transfer the user data to CPU core 101 .
- the SOC kernel transfers an instruction to CPU 101 to receive the decrypted user data for APP # 1 .
- the decryption circuitry decrypts the encrypted user data and transfers the decrypted user data to CPU core 101 .
- CPU core 101 delivers the decrypted user data to APP # 1 . Additional data for APP # 3 like MAC ID and VPN ID may be added to the hardware trusted data message and validated by SOC 100 before the decrypted data is transferred to APP # 1 .
- FIG. 4 illustrates I/O transceiver 112 in SOC 100 to transfer hardware trusted data communications.
- APP # 1 in CPU core 101 transfers its hardware trust certificate in a data transfer request to the SOC kernel in CPU core 103 .
- APP # 1 also transfers user data to user data encryption circuitry in I/O transceiver 112 .
- the SOC kernel uses the known key for hardware trust server 150 to validate the hardware trust certificate for APP # 1 —typically by decrypting the server 150 digital signature and matching the decrypted data to expected data.
- the SOC kernel in CPU core 103 transfers an instruction to CPU 101 to transfer the user data to the user data encryption circuitry.
- the SOC kernel also transfers an instruction to the user data encryption circuitry in I/O transceiver 112 to encrypt and transfer the user data.
- the user data encryption circuitry encrypts the user data and transfers the encrypted user data to a data switch.
- the SOC kernel also transfers an instruction to hardware trust encryption circuitry in I/O transceiver 112 to encrypt and transfer the hardware trust certificate.
- the hardware trust encryption circuitry encrypts the hardware trust certificate and transfers the encrypted hardware trust certificate to the data switch.
- the data switch switches the encrypted data to position the encrypted hardware trust certificate relative to the encrypted user data in the data storage registers.
- I/O transceiver 112 then transmits the encrypted user data and the encrypted hardware trust certificate in the hardware trusted data message. Additional data for APP # 1 like MAC ID and VPN ID may be validated by SOC 100 and added to the hardware trusted data message.
- FIG. 5 illustrates another version of SOC 100 to transfer hardware trusted data communications.
- the SOC kernel encrypts the hardware trust certificate.
- the SOC kernels in SOC 100 and 160 establish and share hardware trust data encryption keys.
- APP # 1 in CPU core 101 transfers its hardware trust certificate in a data transfer request to the SOC kernel in CPU core 103 .
- the SOC kernel uses the key for hardware trust server 150 to validate the hardware trust certificate for APP # 1 .
- the SOC kernel retrieves encryption data from its hardware trust database in data memory 126 .
- the SOC kernel encrypts the hardware trust certificate for APP # 1 based on the encryption data.
- the SOC kernel transfers the encrypted hardware trust certificate for APP # 1 to the encryption circuitry.
- the SOC kernel in CPU core 103 transfers an instruction to CPU 101 to transfer the user data.
- the SOC kernel also transfers an instruction to the encryption circuitry to encrypt and transfer the user data.
- the encryption circuitry encrypts the user data and transfers the encrypted user data along with the encrypted hardware trust certificate for APP # 1 . Additional data for APP # 1 like MAC ID and VPN ID may be validated by SOC 100 and added to the hardware trusted data message.
- FIG. 6 illustrates the operation of data communication SOC 100 to exchange hardware trusted data communications.
- Hardware trust server 150 maintains networking data that associates APPs # 1 - 3 with their current executing SOCs ( 601 ).
- Hardware trust server 150 issues a random number challenges to APP # 1 and APP # 3 ( 601 ).
- APPs # 1 and # 3 request hardware trust data from their SOC kernels ( 602 ).
- the SOC kernels generate hardware trust results from their hardware trust keys and the random numbers ( 603 ).
- the SOC kernels transfer the hardware trust results to APP # 1 and APP # 3 ( 603 ).
- APP # 1 and APP # 3 transfer the hardware trust results to hardware trust server 150 .
- Hardware trust server 150 validates hardware trust of both APP # 1 and APP # 3 ( 604 ). In response to hardware trust validation, hardware trust server 150 issues a hardware trust certificates to APPs # 1 and # 3 ( 604 ).
- SOC 100 receives a hardware trusted data message from APP # 3 to APP # 1 .
- the hardware trusted data message has a message header, encrypted user data, and an encrypted hardware trust certificate for APP # 3 ( 605 ).
- I/O transceiver 112 breaks out the encrypted hardware trust certificate for APP # 3 from the encrypted user message ( 606 ).
- I/O transceiver 112 decrypts the hardware trust certificate for APP # 3 and transfers the decrypted hardware trust certificate to the SOC kernel ( 606 ).
- the SOC kernel validates the hardware trust certificate for APP # 3 ( 607 ).
- the SOC kernel transfers an instruction to I/O transceiver 112 to transfer decrypted user data to APP # 1 ( 607 ).
- I/O transceiver 112 decrypts the encrypted user data and transfers the decrypted user data to CPU core 101 ( 608 ).
- CPU core 101 delivers the decrypted user data to APP # 1 ( 609 ).
- APP # 1 returns a hardware trusted data message to APP # 3 in SOC 160 ( 609 ).
- the hardware trusted data message has a header, encrypted user data, and an encrypted hardware trust certificate for APP # 1 ( 609 ).
- APP # 1 transfers its hardware trust certificate in a data transfer request to its SOC kernel ( 609 ).
- the SOC kernel validates the hardware trust certificate for APP # 1 in this example ( 610 ).
- the SOC kernel transfers instructions to CPU core 101 and I/O transceiver 112 to transfer user data from APP # 1 in a hardware trusted data message to APP # 3 in SOC 160 ( 610 ).
- CPU core 101 transfers the user data to I/O transceiver 112 ( 611 ).
- I/O transceiver 112 encrypts the hardware certificate for APP # 1 and encrypts the user data ( 612 ).
- I/O transceiver 112 indicates encrypted hardware trust in the data message header ( 612 ).
- I/O transceiver 112 transfers a data message to APP # 3 in SOC 160 that transports the encrypted user data and the encrypted hardware trust certificate for APP # 1 ( 612 ).
- FIG. 7 illustrates Network Function Virtualization (NFV) SOC 700 to exchange hardware trusted data communications.
- NFV SOC 700 comprises CPUs 701 - 702 and I/O transceivers 711 - 712 .
- CPU 701 executes a SOC kernel and its kernel modules like boot-up instructions, hardware drivers, processing schedulers, Direct Memory Access (DMA) controllers, and hardware trust kernel modules.
- CPU 701 has hardware trust key 751 that is also known to hardware trust server 750 .
- Hardware trust key 751 is physically-embedded and read-only within CPU 701 .
- CPU 702 executes an Operating System (OS) that supports virtualization and/or containerization.
- CPU 702 executes Virtual Network Function (VNF) 731 .
- VNF 731 has a hardware trust certificate, VPN ID and MAC ID.
- VNF 731 comprises a data communications service function chain that performs data networking tasks. Exemplary networking tasks include data packet handling, data network controls, and network applications.
- VNF 731 may be part of a base station, gateway, controller, data machine, database, or some other network element.
- Another CPU executes VNF 732 .
- VNF 732 also has a hardware trust certificate, VPN ID and MAC ID.
- I/O transceiver 711 comprises an I/O controller (CNT), ports, decryption circuitry, and encryption circuitry.
- I/O transceiver 711 uses IEEE 802.3. To handle crypto tasks, the encryption/decryption circuitry and the I/O controller in I/O transceiver 711 establish and share encryption keys with the encryption/decryption circuitry in other I/O transceivers.
- NFV Management and Orchestration (MANO) 760 controls the execution of VNF 731 on CPU 702 in SOC 700 .
- NFV MANO 760 may allocate VNF 731 the MAC ID and/or VPN ID.
- NFV MANO 760 controls the execution of VNF 732 and other VNFs in a similar fashion.
- NFV MANO 760 transfers NFV data to hardware trust server 750 that associates individual VNFs with their current SOCs, CPUs, MAC IDs, and VPNs.
- Hardware trust server 750 distributes crypto keys to the SOC kernels to decode and validate the hardware trust server's digital signature.
- hardware trust server 750 issues a random number challenge to VNF 731 —possibly through I/O transceiver 712 and the SOC kernel.
- VNF 731 requests hardware trust support from the SOC kernel based on the random number challenge.
- the SOC kernel reads hardware trust key 751 and hashes the random number with key 751 to generate a hardware trust result.
- the SOC kernel transfers the hardware trust result to VNF 731 .
- VNF 731 transfers the hardware trust result along with its MAC ID and VPN ID to hardware trust server 750 .
- hardware trust server 750 Based on its current NFV data, hardware trust server 750 generates its own hardware trust result with the random number and hardware trust key 751 . Hardware trust server 750 matches the hardware trust result from VNF 731 with its own result to validate hardware trust of VNF 731 in NFV SOC 700 . Hardware trust server 750 may also validate the MAC ID and VPN ID based on NFV data from MANO 760 . In response to hardware trust validation, hardware trust server 750 issues the hardware trust certificate to VNF 731 . The hardware trust certificate indicates hardware trust for VNF 731 and its MAC ID and VPN ID. The hardware trust certificate is time-stamped and digitally signed by hardware trust server 750 . Hardware trust server 750 and VNF 731 repeat this process to refresh the hardware trust certificate. Hardware trust server 750 and VNF 732 perform a similar process to maintain the hardware trust certificate for VNF 732 .
- VNF 732 sends a hardware trusted data message to VNF 731 in SOC 700 .
- the hardware trusted data message has a message header, encrypted user data, and an encrypted hardware trust certificate for VNF 732 .
- I/O transceiver 711 receives the data message and the decryption circuitry decrypts the hardware trust certificate for VNF 732 .
- the I/O controller in transceiver 711 transfers the decrypted hardware trust certificate for VNF 732 to the SOC kernel in CPU 701 .
- the SOC kernel activates its hardware trust kernel module.
- the hardware trust kernel module drives CPU 701 to decrypt and validate the hardware trust certificate for VNF 732 .
- the validation includes checking the time-stamp from the hardware trust certificate for freshness.
- the SOC kernel directs its DMA controller to drive CPU 702 and I/O transceiver 711 to transfer decrypted user data to VNF 731 in CPU 702 .
- I/O transceiver 711 decrypts the encrypted user data and transfers the decrypted user data to CPU 702 .
- CPU 702 delivers the decrypted user data to VNF 731 .
- VNF 731 in SOC 700 returns a hardware trusted data message to VNF 732 .
- the hardware trusted data message has a header, encrypted user data, and an encrypted hardware trust certificate for VNF 731 .
- VNF 731 transfers its hardware trust certificate, MAC ID, and VPN ID in a data transfer request through the OS in CPU core 702 to the SOC kernel in CPU 701 .
- the SOC kernel directs the hardware trust kernel module to validate the hardware trust certificate, MAC ID, and VPN ID for VNF 731 .
- the hardware trust kernel module uses the public key of hardware trust server 750 to validate the trust certificate and check the time stamp for freshness.
- the SOC kernel directs the DMA to instruct CPU 702 and I/O transceiver 711 to transfer user data from VNF 731 in a hardware trusted data message to VNF 732 .
- the instructions direct the encryption circuitry in I/O transceiver 711 to encrypt the hardware trust certificate for VNF 731 , encrypt the user data, and indicate encrypted hardware trust in the data message header.
- CPU 702 transfers the user data to I/O transceiver 711 .
- the encryption circuitry in I/O transceiver 711 encrypts the user data and the hardware trust certificate for VNF 731 .
- the hardware trust certificate includes the MAC ID and VPN ID for VNF 731 .
- I/O transceiver 711 transfers the hardware trusted data message to VNF 732 .
- the data message transports the encrypted user data and the encrypted hardware trust certificate for VNF 731 .
- NFV SOC 700 The use of hardware trusted communications in NFV SOC 700 is selective.
- the data message may have a flag, address, port, or some other marker that directs transceiver 711 to perform the hardware trust break-out and validation through the SOC kernel.
- This selective use of hardware trusted communications is implemented for special commands between VNFs like SDN signaling and WoL commands.
- FIG. 8 illustrates NFV data communication system 800 to exchange hardware trusted data communications.
- NFV data communication system 800 comprises user communication device 801 , NFV Infrastructure (NFVI) 802 , and hardware trust server 850 .
- User communication device 801 could be a phone, computer, or some other intelligent machine with data communication components.
- User communication device 801 has a SOC that comprises a kernel, transceiver, hardware trust key, and application 811 (the CPUs are omitted for clarity).
- the transceiver has a port, crypto circuitry, and controller (CNT).
- Application 811 has a hardware trust certificate, MAC ID, VPN ID, and Internet Protocol (IP) address.
- IP Internet Protocol
- NFVI 802 comprises multiple SOCs and the number is drastically reduced for clarity.
- the exemplary and illustrated NFVI SOC comprises a kernel, transceiver, hardware trust key and VNF 812 (the CPUs are omitted for clarity).
- the transceiver has a port, crypto circuitry, and controller.
- VNF 812 has a hardware trust certificate, MAC ID, VPN ID, and IP address.
- VNF 812 may comprise a data communications service function chain.
- Hardware trust server 850 issues random number challenges to application 811 and VNF 812 .
- Application 811 and VNF 812 request hardware trust handling from their SOC kernels.
- the SOC kernels hash their hardware trust keys with the random numbers to generate hardware trust results.
- the SOC kernels transfer the hardware trust result to application 811 and VNF 812 .
- Application 811 and VNF 812 transfer the hardware trust results along with their MAC ID, VPN ID, and IP addresses to hardware trust server 850 .
- hardware trust server 850 Based on NFV MANO data, hardware trust server 850 generates its own hardware trust results with the random numbers and the hardware trust keys. Hardware trust server 850 matches the hardware trust results from application 811 and VNF 812 with its own results to validate hardware trust of application 811 and VNF 812 . In response to hardware trust validation, hardware trust server 850 issues the hardware trust certificates to application 811 and VNF 812 .
- the hardware trust certificates indicate hardware trust, MAC ID, VPN ID, and IP address.
- the hardware trust certificates are time-stamped and digitally signed by hardware trust server 850 .
- FIG. 9 illustrates the operation of NFV data communication system 800 to exchange hardware trusted data communications.
- Application 811 in user communication device 801 sends a hardware trusted data message for delivery to VNF 812 in NFVI 802 .
- application 811 transfers its hardware trust certificate, MAC ID, VPN ID, and IP address in a data transfer request to the SOC kernel.
- the SOC kernel uses the public key of hardware trust server 850 to validate the hardware trust certificate for application 811 .
- the SOC kernel transfers instructions to the transceiver to transfer user data from application 811 in a hardware trusted data message to VNF 812 .
- the transceiver encrypts the hardware trust certificate for application 811 , encrypts the user data, and indicates encrypted hardware trust in the data message header.
- the transceiver in user communication device 801 transfers the hardware trusted data message to the transceiver in NFVI 802 .
- the SOC transceiver in NFVI 802 receives the data message and decrypts the hardware trust certificate for application 811 .
- the transceiver transfers the decrypted hardware trust certificate for application 811 to the SOC kernel.
- the SOC kernel validates the decrypted hardware trust certificate for application 811 .
- the SOC kernel transfers an instruction to the transceiver to transfer decrypted user data to VNF 812 .
- the transceiver decrypts the encrypted user data and transfers the decrypted user data to VNF 812 .
- VNF 812 returns a hardware trusted data message to application 811 .
- VNF 812 transfers its hardware trust certificate, MAC ID, VPN ID, and IP address in a data transfer request to its SOC kernel.
- the NFVI SOC kernel uses the public key of hardware trust server 850 to validate the hardware trust certificate for VNF 812 .
- the SOC kernel transfers instructions to the transceiver to transfer user data from VNF 812 in a hardware trusted data message to application 811 .
- the transceiver encrypts the hardware trust certificate for VNF 812 , encrypts the user data, and indicates encrypted hardware trust in the data message header.
- the transceiver in NFVI 802 transfers the hardware trusted data message to the transceiver in user communication device 801 .
- the SOC transceiver in user communication device 801 receives the data message and decrypts the hardware trust certificate for VNF 812 .
- the transceiver transfers the decrypted hardware trust certificate for VNF 812 to the SOC kernel.
- the SOC kernel validates the decrypted hardware trust certificate for VNF 812 .
- the SOC kernel transfers an instruction to the transceiver to transfer decrypted user data to application 811 .
- the transceiver decrypts the encrypted user data and transfers the decrypted user data to application 811 .
- FIG. 10 illustrates data communication SOC 1000 to exchange hardware trusted data communications.
- SOC 1000 is an example of the SOCs described above, although those SOCs may use alternative configurations and operations.
- SOC 1000 comprises data communication interface 1001 and data processing system 1002 .
- Data communication interface 1001 comprises transceivers 1021 - 1024 for USB, USART, and Ethernet.
- Data processing system 1002 comprises processing circuitry 1003 and storage system 1004 .
- Storage system 1004 stores software 1005 .
- Software 1005 includes respective software modules 1006 - 1010 .
- Transceivers 1021 - 1024 comprises communication components, such as amplifiers, filters, modulators, signal processors, ports, bus interfaces, memory, software, and the like. Transceivers 1021 - 1024 perform separate hardware based encryption and decryption on user data and hardware trust certificates.
- Processing circuitry 1003 comprises CPU cores and RAM.
- Storage system 1004 comprises non-transitory, machine-readable, data storage media, such as flash drives, memory circuitry, and the like.
- Software 1005 comprises machine-readable instructions that control the operation of processing circuitry 1003 when executed.
- All or portions of software 1006 - 1010 may be externally stored on one or more storage media, such as circuitry, discs, and the like. Some conventional aspects of SOC 1000 are omitted for clarity, such as power supplies, substrate, and the like.
- software modules 1006 - 1010 direct circuitry 1003 to perform the following operations.
- Operating system 1006 has a kernel to interface between software modules 1007 - 1010 and the SOC hardware (processing circuitry 1003 , data communication interface 1001 , storage).
- Hardware trust 1007 supports hardware trust testing, validation, and transceiver control.
- Direct Memory Access 1008 directs the exchange of user data between data communication interface 1001 and storage system 1004 under the control of hardware trust 1007 .
- Virtual machines 1009 interact between operating system 1006 and data applications 1010 .
- Data applications 1010 interact with virtual machines 1009 to exchange hardware trusted data communications.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (20)
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/475,212 US10298553B2 (en) | 2017-03-31 | 2017-03-31 | Hardware trusted data communications over system-on-chip (SOC) architectures |
CA3052055A CA3052055C (en) | 2017-03-31 | 2018-03-06 | Hardware trusted data communications over system-on-chip (soc) architectures |
PCT/US2018/021056 WO2018182930A1 (en) | 2017-03-31 | 2018-03-06 | Hardware trusted data communications over system-on-chip (soc) architectures |
EP18713469.7A EP3602368B1 (en) | 2017-03-31 | 2018-03-06 | Hardware trusted data communications over system-on-chip (soc) architectures |
US16/367,018 US10749847B2 (en) | 2017-03-31 | 2019-03-27 | Hardware trusted data communications over system-on-chip (SOC) architectures |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/475,212 US10298553B2 (en) | 2017-03-31 | 2017-03-31 | Hardware trusted data communications over system-on-chip (SOC) architectures |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/367,018 Continuation US10749847B2 (en) | 2017-03-31 | 2019-03-27 | Hardware trusted data communications over system-on-chip (SOC) architectures |
Publications (2)
Publication Number | Publication Date |
---|---|
US20180288011A1 US20180288011A1 (en) | 2018-10-04 |
US10298553B2 true US10298553B2 (en) | 2019-05-21 |
Family
ID=61768464
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/475,212 Active 2037-11-17 US10298553B2 (en) | 2017-03-31 | 2017-03-31 | Hardware trusted data communications over system-on-chip (SOC) architectures |
US16/367,018 Active US10749847B2 (en) | 2017-03-31 | 2019-03-27 | Hardware trusted data communications over system-on-chip (SOC) architectures |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/367,018 Active US10749847B2 (en) | 2017-03-31 | 2019-03-27 | Hardware trusted data communications over system-on-chip (SOC) architectures |
Country Status (4)
Country | Link |
---|---|
US (2) | US10298553B2 (en) |
EP (1) | EP3602368B1 (en) |
CA (1) | CA3052055C (en) |
WO (1) | WO2018182930A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110677250B (en) | 2018-07-02 | 2022-09-02 | 阿里巴巴集团控股有限公司 | Key and certificate distribution method, identity information processing method, device and medium |
CN110795742B (en) | 2018-08-02 | 2023-05-02 | 阿里巴巴集团控股有限公司 | Metric processing method, device, storage medium and processor for high-speed cryptographic operation |
CN110795774B (en) | 2018-08-02 | 2023-04-11 | 阿里巴巴集团控股有限公司 | Measurement method, device and system based on trusted high-speed encryption card |
CN110874478B (en) | 2018-08-29 | 2023-05-02 | 阿里巴巴集团控股有限公司 | Key processing method and device, storage medium and processor |
CN115943381A (en) * | 2021-05-29 | 2023-04-07 | 华为技术有限公司 | Data encryption and decryption method and device |
Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060059372A1 (en) | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | Integrated circuit chip for encryption and decryption having a secure mechanism for programming on-chip hardware |
US7370348B1 (en) | 1999-07-30 | 2008-05-06 | Intel Corporation | Technique and apparatus for processing cryptographic services of data in a network system |
US7469338B2 (en) | 2002-07-29 | 2008-12-23 | Broadcom Corporation | System and method for cryptographic control of system configurations |
US20090210719A1 (en) | 2008-02-19 | 2009-08-20 | Konica Minolta Holdings, Inc. | Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program |
US7587587B2 (en) | 2002-12-05 | 2009-09-08 | Broadcom Corporation | Data path security processing |
US7826614B1 (en) * | 2003-11-05 | 2010-11-02 | Globalfoundries Inc. | Methods and apparatus for passing initialization vector information from software to hardware to perform IPsec encryption operation |
US8099629B2 (en) | 2006-07-14 | 2012-01-17 | Marvell World Trade Ltd. | System-on-a-chip (SoC) test interface security |
US8356188B2 (en) | 2005-12-23 | 2013-01-15 | Nagravision S.A. | Secure system-on-chip |
US8458791B2 (en) | 2010-08-18 | 2013-06-04 | Southwest Research Institute | Hardware-implemented hypervisor for root-of-trust monitoring and control of computer system |
US20140112471A1 (en) | 2011-01-05 | 2014-04-24 | Ramesh Pendakur | Method and Apparatus for Building a Hardware Root of Trust and Providing Protected Content Processing Within an Open Computing Platform |
US8775757B2 (en) | 2012-09-25 | 2014-07-08 | Apple Inc. | Trust zone support in system on a chip having security enclave processor |
US20140310536A1 (en) | 2013-04-16 | 2014-10-16 | Qualcomm Incorporated | Storage device assisted inline encryption and decryption |
US20150261965A1 (en) | 2014-03-11 | 2015-09-17 | Qualcomm Incorporated | Dynamic encryption keys for use with xts encryption systems employing reduced-round ciphers |
US9317708B2 (en) | 2008-08-14 | 2016-04-19 | Teleputers, Llc | Hardware trust anchors in SP-enabled processors |
WO2016166134A1 (en) | 2015-04-17 | 2016-10-20 | Gemalto Sa | Device for managing multiple accesses to a secure module of a system on chip of an apparatus |
US20160378996A1 (en) | 2015-06-26 | 2016-12-29 | Intel Corporation | Establishing hardware roots of trust for internet-of-things devices |
US20170054565A1 (en) | 2014-05-08 | 2017-02-23 | Huawei Technologies Co., Ltd. | Certificate Acquiring Method and Device |
-
2017
- 2017-03-31 US US15/475,212 patent/US10298553B2/en active Active
-
2018
- 2018-03-06 CA CA3052055A patent/CA3052055C/en active Active
- 2018-03-06 EP EP18713469.7A patent/EP3602368B1/en active Active
- 2018-03-06 WO PCT/US2018/021056 patent/WO2018182930A1/en active Application Filing
-
2019
- 2019-03-27 US US16/367,018 patent/US10749847B2/en active Active
Patent Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7370348B1 (en) | 1999-07-30 | 2008-05-06 | Intel Corporation | Technique and apparatus for processing cryptographic services of data in a network system |
US7469338B2 (en) | 2002-07-29 | 2008-12-23 | Broadcom Corporation | System and method for cryptographic control of system configurations |
US7587587B2 (en) | 2002-12-05 | 2009-09-08 | Broadcom Corporation | Data path security processing |
US7826614B1 (en) * | 2003-11-05 | 2010-11-02 | Globalfoundries Inc. | Methods and apparatus for passing initialization vector information from software to hardware to perform IPsec encryption operation |
US20060059372A1 (en) | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | Integrated circuit chip for encryption and decryption having a secure mechanism for programming on-chip hardware |
US8356188B2 (en) | 2005-12-23 | 2013-01-15 | Nagravision S.A. | Secure system-on-chip |
US8099629B2 (en) | 2006-07-14 | 2012-01-17 | Marvell World Trade Ltd. | System-on-a-chip (SoC) test interface security |
US20090210719A1 (en) | 2008-02-19 | 2009-08-20 | Konica Minolta Holdings, Inc. | Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program |
US9317708B2 (en) | 2008-08-14 | 2016-04-19 | Teleputers, Llc | Hardware trust anchors in SP-enabled processors |
US8458791B2 (en) | 2010-08-18 | 2013-06-04 | Southwest Research Institute | Hardware-implemented hypervisor for root-of-trust monitoring and control of computer system |
US20140112471A1 (en) | 2011-01-05 | 2014-04-24 | Ramesh Pendakur | Method and Apparatus for Building a Hardware Root of Trust and Providing Protected Content Processing Within an Open Computing Platform |
US8775757B2 (en) | 2012-09-25 | 2014-07-08 | Apple Inc. | Trust zone support in system on a chip having security enclave processor |
US20140310536A1 (en) | 2013-04-16 | 2014-10-16 | Qualcomm Incorporated | Storage device assisted inline encryption and decryption |
US20150261965A1 (en) | 2014-03-11 | 2015-09-17 | Qualcomm Incorporated | Dynamic encryption keys for use with xts encryption systems employing reduced-round ciphers |
US20170054565A1 (en) | 2014-05-08 | 2017-02-23 | Huawei Technologies Co., Ltd. | Certificate Acquiring Method and Device |
WO2016166134A1 (en) | 2015-04-17 | 2016-10-20 | Gemalto Sa | Device for managing multiple accesses to a secure module of a system on chip of an apparatus |
US20160378996A1 (en) | 2015-06-26 | 2016-12-29 | Intel Corporation | Establishing hardware roots of trust for internet-of-things devices |
Non-Patent Citations (2)
Title |
---|
ETSI; "Network Function Virtualisation (NFV); Trust; Report on Attestation Technologies and Practices for Secure Deployments;" Group Specification; Feb. 18, 2017; pp. 1-27; Draft ETSI GS NFV SEC 007 V0.0.7; ETSI; Sophia Antipolis Cedex, France. |
ETSI; "Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance;" Group Specification; Dec. 2014; pp. 1-57; ETSI GS NFV-SEC 003 V1.1.1; ETSI; Sophia Antipolis Cedex, France. |
Also Published As
Publication number | Publication date |
---|---|
CA3052055C (en) | 2020-11-03 |
WO2018182930A1 (en) | 2018-10-04 |
EP3602368A1 (en) | 2020-02-05 |
CA3052055A1 (en) | 2018-10-04 |
EP3602368B1 (en) | 2021-06-30 |
US20190222563A1 (en) | 2019-07-18 |
US20180288011A1 (en) | 2018-10-04 |
US10749847B2 (en) | 2020-08-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10749847B2 (en) | Hardware trusted data communications over system-on-chip (SOC) architectures | |
US11757647B2 (en) | Key protection for computing platform | |
US11038852B2 (en) | Method and system for preventing data leakage from trusted network to untrusted network | |
US9118639B2 (en) | Trusted data processing in the public cloud | |
KR100831437B1 (en) | Method, apparatuses and computer program product for sharing cryptographic key with an embedded agent on a network endpoint in a network domain | |
TWI632797B (en) | Systems and methods for secured backup of hardware security modules for cloud-based web services | |
US11687375B2 (en) | Technologies for hybrid field-programmable gate array application-specific integrated circuit code acceleration | |
US20150358312A1 (en) | Systems and methods for high availability of hardware security modules for cloud-based web services | |
US10715332B2 (en) | Encryption for transactions in a memory fabric | |
US10699031B2 (en) | Secure transactions in a memory fabric | |
US8612753B2 (en) | Method and apparatus for protected code execution on clients | |
US11503000B2 (en) | Technologies for establishing secure channel between I/O subsystem and trusted application for secure I/O data transfer | |
EP2863329A1 (en) | Establishing physical locality between secure execution environments | |
US20210328779A1 (en) | Method and apparatus for fast symmetric authentication and session key establishment | |
US11997192B2 (en) | Technologies for establishing device locality | |
US11805116B2 (en) | Technologies for securing network function virtualization images | |
CN110929297A (en) | FPGA asynchronous encryption and decryption system and method | |
US20220191010A1 (en) | Key management in an integrated circuit | |
Song et al. | Research on High Performance IPSec VPN Technology Based on National Cryptographic Algorithms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SPRINT COMMUNICATIONS COMPANY L.P., KANSAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MARQUARDT, RONALD R.;PACZKOWSKI, LYLE WALTER;RAJAGOPAL, ARUN;SIGNING DATES FROM 20170323 TO 20170330;REEL/FRAME:041804/0530 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: DEUTSCHE BANK TRUST COMPANY AMERICAS, NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNORS:T-MOBILE USA, INC.;ISBV LLC;T-MOBILE CENTRAL LLC;AND OTHERS;REEL/FRAME:053182/0001 Effective date: 20200401 |
|
AS | Assignment |
Owner name: T-MOBILE INNOVATIONS LLC, KANSAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SPRINT COMMUNICATIONS COMPANY L.P.;REEL/FRAME:055604/0001 Effective date: 20210303 |
|
AS | Assignment |
Owner name: SPRINT SPECTRUM LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: SPRINT INTERNATIONAL INCORPORATED, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: SPRINT COMMUNICATIONS COMPANY L.P., KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: SPRINTCOM LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: CLEARWIRE IP HOLDINGS LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: CLEARWIRE COMMUNICATIONS LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: BOOST WORLDWIDE, LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: ASSURANCE WIRELESS USA, L.P., KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: T-MOBILE USA, INC., WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: T-MOBILE CENTRAL LLC, WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: PUSHSPRING, LLC, WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: LAYER3 TV, LLC, WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 Owner name: IBSV LLC, WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001 Effective date: 20220822 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |